From 6071528289e4a8b11a772433c33851136d30f133 Mon Sep 17 00:00:00 2001 From: Roberto Bertó <463349+robertoberto@users.noreply.github.com> Date: Tue, 19 May 2026 06:14:08 +0000 Subject: ci: pin actions by full commit SHA Per OpenSSF Scorecard 'Pinned-Dependencies' guidance, third-party GitHub Actions should be referenced by full commit SHA, not by tag. Tags are mutable; a SHA is not. Each pin keeps a '# vX.Y.Z' trailing comment so Dependabot can read the current version and propose updates while still pinning by SHA. - actions/checkout de0fac2 # v6.0.2 - actions/setup-python a309ff8 # v6.2.0 - astral-sh/setup-uv 0880764 # v8.1.0 - pypa/gh-action-pypi-publish cef2210 # v1.14.0 This commit does not change pyvyos HTTP payloads, request handling, or response parsing. --- .github/workflows/python-pr-validation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to '.github/workflows/python-pr-validation.yml') diff --git a/.github/workflows/python-pr-validation.yml b/.github/workflows/python-pr-validation.yml index d4e55de..5defe21 100644 --- a/.github/workflows/python-pr-validation.yml +++ b/.github/workflows/python-pr-validation.yml @@ -16,15 +16,15 @@ jobs: python-version: ["3.11", "3.12", "3.13"] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true cache-dependency-glob: "pyproject.toml" -- cgit v1.2.3